Pierluigi Paganini June 26, 2012

It’s not first time we discuss of cybercrime and in particular of its organizational models, creative servicex offer any kind of support to organizations and individuals that desire to conduct an attack against specific target.

Cyber criminals in the past have already used cloud architectures to rent computational resources to involve in powerful cyber attacks. Since now these platforms have been used to organize social networks for “customer care”, to develope file sharing services or to arrange hacking platforms to conduct automated pen test against the victims.

Unusual is the discovery made by a group of experts of the AlienVault, led by Alberto Ortega, on a new service that offers cyber-attack tools and hosting as part of malware-as-a-service.

Once again cybercrime operates as enterprise, the products proposed are tools for the organization of cyber attacks such as spam of malware, malware hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement of botnets.

The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), the service provides technological support to criminals who haven’t necessary knowledge to conduct a cyber attack or to arrange a cyber scam.

How is provided the service?

In the simplest way, users can access to a Web portal that offers the possibility to create customized version of malware, to access to a management console to control bot of the infected networks. The owner of the portal proposed it as a service to remote control computers and recover passwords.

The service provided is cloud based and offers to the users a payment platform for the generation of malware and their control, all is documented with detailed tutorials.

The most popular malware on the portal are RAT (Remote administration tool), software created by to let the attacker spy on the victims with actions like keylogging, password stealing, command execution and remote access and controlling and screen capturing.

These tools are continually updated and improved to meet customer’s requirements, an excellent work made by specialists.

The platform also offer hosting service for the malware, once logged in the client can choose destination of the agent from a list of fake domains that appears like legitimate ones.

Of course the supply of similar services need of high skilled professional, the malware created must avoid antivirus and other defense system to be attractive for criminals. Due this reason the service provide also a rating mechanism for the detectability of the malware sold.

The platform also offer a management console, that uses HTTPS protocol with a valid certificate,  for the malicious agent, client can use it to gain to complete control of infected system.

The researchers have discovered that is address of the C&C machine is from Brazil and it is always the same 174.142.93.226 , and the communication between the agents and the C&C is done using HTTP using other protocol from port 9000 for command execution.

The experts of AlienVault  have also provided useful information regarding the platform and the detection of the malware sold, posting information on the C&C used, on the registration of the fake domains used for the hosting and providing the rules to detect the communication traffic and command execution requests.

Discoveries like these are of great concern for the following reasons:

• Model malware-as-a-service is extremely dangerous because it links the cyber crime to the traditional crime that until now has been excluded for lack of adequate technological knowledge. It completely changes the morphology of the crime scenarios, these joint ventures attract capital and strengthen relations between criminal organizations.
• The concern on the born of these services on the impact they have on the spread of malware is high. Many environments today are too vulnerable and scenarios that lie ahead are indeed worrying. The check of these pathways of contamination is mission critical.
• Criminal models such as the one introduced make affordable production of malware, also contribute to the diversification of the agents making complex their detection due to subsequent processing and improving. These groups are led by professionals that are familiar with the mechanisms of antivirus detection of the manufacturers of security products. The spread of malware in this way could be used by terrorists or other groups wishing to conduct cyber attacks providing new and powerful weapons at low cost and without any special risks associated with their acquirement and detention.

Pierluigi Paganini

References

http://labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/